The hacks on coming. Even as reporters were still poring through a Wikileaks dump of emails stolen from the accounts of the Democratic National Committee and Hillary Clinton’s campaign staff earlier this year, someone compromised the Twitter account of her campaign chair, John Podesta, and tweeted a pro-Trump message. Since the team clearly continues to be targeted, now seems like a good time to run down some basic security hygiene.
None of this is advanced infosec. It wouldn’t, by itself, stop a determined hacker, especially one with ample, state-sponsored resources. The good news, though, is that it would help, and more important, anyone can implement it—whether they’re DNC, GOP, or just your average WIRED reader. Everyone needs a little more security in their lives. Here’s how to add some to yours.
Use Better Passwords
That’s passwords, plural. It seems likely that Podesta’s Twitter account was hacked not because of any advanced technique but because a recent Wikileaks email dump included his Gmail credentials. If Podesta used the same email across multiple accounts, as appears to be the case, access was as simple as plugging them into various other services. That also explains why Podesta’s iCloud and Outlook accounts appear to have been compromised as well.
According to multiple password experts we’ve talked to, the single best way to avoid this type of break-in is to use a password manager to generate unique credentials across all of your accounts. Here are some you can try out for free. Failing that, make sure your passwords are at least 12 characters long, avoid common sports and pop culture references, and don’t change them so dang often.
Turn on Two-Factor Authentication
A strong password is great. Using two-factor authentication as an extra layer of security? Even greater. And it could have saved Podesta’s Twitter account, even if his password was public knowledge.
When you turn on two-factor—here’s how to do it on Twitter specifically—any attempts to sign on from a new device will require a special code to go through. That means someone pretending to be John Podesta wouldn’t be able to crack his Twitter account (or most other services, given two-factor’s increasing popularity) unless they were also in a position to receive that code, most commonly given out via text message. In other words, unless you have John Podesta’s phone, you can’t break into John Podesta’s digital domains.
But Maybe Not Via Text
For most people, two-factor authentication via text message is just fine. If you’re a likely target, though, it’s too easily overcome. The FTC’s lead technologist, Lorrie Cranor, discovered that the hard way, as did activist DeRay McKesson, both of whom experienced a messaging hack earlier this year.
Texts are vulnerable because it’s too easy to transfer someone’s phone number to another device. In many cases, all you need is a name and the last four digits of their SSN, or just a gullible person on the carrier’s customer service line. Once someone has your phone number on their device, they can get into whatever account they please.
The good news is, there are hardware keys, USB drives that support apps like Gmail and Dropbox, providing two-factor authentication locally. It’s a hassle, but it’s worth it if you know hackers might be gunning for you.
Specifically, use end-to-end encryption with your messaging. Even more specifically, use Signal, the gold standard in encrypted messaging. (It underlies encrypted services from Whatsapp and Facebook Messenger as well.) That way no one can intercept what you send and receive in transit, whether it’s voice or text, on your phone or desktop. Signal even just added a disappearing message feature, for an extra layer of privacy.
Don’t Fall For Phishing
The prime suspect in major breaches tends to be sophisticated phishing attacks. Clicking the wrong link really can open you and your entire network up to some very serious fallout. Even clicking the wrong ad sometimes can do it; there’s been a recent uptick in “malvertising,” compromised ad networks that sneak malware in through seemingly innocuous advertisements.
The best advice? If you don’t trust it, don’t click it. And before you trust it, double check that email address to make sure the sender is who it claims to be.
The odds are still generally in a hacker’s favor, especially if they’re sophisticated and determined. But sticking to the basics would almost certainly have helped John Podesta. And it could help you from sharing his predicament.